[krb5/f17] add patch for CVE-2012-1016
Nalin Dahyabhai
nalin at fedoraproject.org
Tue Mar 5 18:10:41 UTC 2013
commit df771824e212771bb9251d75d804339275dc427c
Author: Nalin Dahyabhai <nalin at redhat.com>
Date: Tue Mar 5 13:08:02 2013 -0500
add patch for CVE-2012-1016
- add patch to avoid dereferencing a NULL pointer in the KDC when handling a
draft9 PKINIT request (#917841, CVE-2012-1016)
krb5-1.10-pkinit-agility.patch | 42 ++++++++++++++++++++++++++++++++++++++++
krb5.spec | 8 ++++++-
2 files changed, 49 insertions(+), 1 deletions(-)
---
diff --git a/krb5-1.10-pkinit-agility.patch b/krb5-1.10-pkinit-agility.patch
new file mode 100644
index 0000000..7245edc
--- /dev/null
+++ b/krb5-1.10-pkinit-agility.patch
@@ -0,0 +1,42 @@
+commit db64ca25d661a47b996b4e2645998b5d7f0eb52c
+Author: Nalin Dahyabhai <nalin at redhat.com>
+Date: Thu Dec 13 14:26:07 2012 -0500
+
+ PKINIT (draft9) null ptr deref [CVE-2012-1016]
+
+ Don't check for an agility KDF identifier in the non-draft9 reply
+ structure when we're building a draft9 reply, because it'll be NULL.
+
+ The KDC plugin for PKINIT can dereference a null pointer when handling
+ a draft9 request, leading to a crash of the KDC process. An attacker
+ would need to have a valid PKINIT certificate, or an unauthenticated
+ attacker could execute the attack if anonymous PKINIT is enabled.
+
+ CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
+
+ [tlyu at mit.edu: reformat comment and edit log message]
+
+ (back ported from commit cd5ff932c9d1439c961b0cf9ccff979356686aff)
+
+ ticket: 7527 (new)
+ version_fixed: 1.10.4
+ status: resolved
+
+diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
+index 3322310..c271bf9 100644
+--- a/src/plugins/preauth/pkinit/pkinit_srv.c
++++ b/src/plugins/preauth/pkinit/pkinit_srv.c
+@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context context,
+ rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
+ (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
+
+- /* If mutually supported KDFs were found, use the alg agility KDF */
+- if (rep->u.dh_Info.kdfID) {
+- secret.data = server_key;
++ /* If we're not doing draft 9, and mutually supported KDFs were found,
++ * use the algorithm agility KDF. */
++ if (rep != NULL && rep->u.dh_Info.kdfID) {
++ secret.data = (char *)server_key;
+ secret.length = server_key_len;
+
+ retval = pkinit_alg_agility_kdf(context, &secret,
diff --git a/krb5.spec b/krb5.spec
index 40864b3..feaa2c2 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -20,7 +20,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.10.2
-Release: 8%{?dist}
+Release: 9%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.10/krb5-1.10.2-signed.tar
Source0: krb5-%{version}.tar.gz
@@ -72,6 +72,7 @@ Patch107: krb5-trunk-pkinit-anchorsign.patch
Patch108: http://web.mit.edu/kerberos/advisories/2012-001-patch.txt
Patch109: krb5-1.10-pkinit-null.patch
Patch110: krb5-lookup_etypes-leak.patch
+Patch111: krb5-1.10-pkinit-agility.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@@ -253,6 +254,7 @@ ln -s NOTICE LICENSE
%patch108 -p1 -b .2012-001
%patch109 -p1 -b .pkinit-null
%patch110 -p1 -b .lookup_etypes-leak
+%patch111 -p1 -b .pkinit-agility
rm src/lib/krb5/krb/deltat.c
gzip doc/*.ps
@@ -772,6 +774,10 @@ exit 0
%{_sbindir}/uuserver
%changelog
+* Tue Mar 5 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-9
+- add patch to avoid dereferencing a NULL pointer in the KDC when handling a
+ draft9 PKINIT request (#917841, CVE-2012-1016)
+
* Thu Feb 28 2013 Nalin Dahyabhai <nalin at redhat.com> 1.10.2-8
- fix a memory leak when acquiring credentials using a keytab (RT#7586, #911110)
More information about the scm-commits
mailing list